Presentation is loading. Please wait.

Presentation is loading. Please wait.

D ECEMBER 12, 2014 The State of the State of Cybersecurity.

Published byJonah Manning Modified over 9 years ago

Similar presentations

Presentation on theme: "D ECEMBER 12, 2014 The State of the State of Cybersecurity."— Presentation transcript:

1 D ECEMBER 12, 2014 The State of the State of Cybersecurity

2 Agenda Global View Headlines and the General State of the Falling Sky Texas View What We Knew – Security Assessment findings What We Now Can See Where Do We Go From Here Preview of the 2015-2020 Statewide Cybersecurity Strategy 2

3 When it rains… 3

4 The World Around Us 63% of victim organizations are made aware by external entities Attackers spend an estimated 243 days on a victim network before they are discovered (down 173 days from 2011) 4

5 Commonalities and Comparable Traits 5 Technology Security Capabilities DataAttackersPeople Industry

6 Commonalities and Comparable Traits 6 Technology Security Capabilities DataAttackersPeople Government

7 Commonalities and Comparable Traits 7 Technology Security Capabilities DataAttackersPeople Individual Agencies

8 Commonalities and Comparable Traits 8 Security Capabilities

9 Web Application Attack Detections - Financially Motivated 9

10 Web Application Attacks – Ideologically Motivated 10

11 Motivations, Targets and objectives Financial Motivations Credit Cards – Direct Conversion Identity Information (PII) – Indirect Conversion Health Information (PHI) – Indirect Conversion 11 (Reuters) - Your medical information is worth 10 times more than your credit card number on the black market. Mayhem, Activism and Reputation Espionage

12 12 Let’s Talk About

13 Security Assessment Benchmark 13 Due Diligence Standard State of the State App Security Availability Change Mgmt Confidentiality Endpoint Admission Governance Host Security Access Mgmt IntegrityMalware Mobile Security Monitoring Network Perimeters Network Zones Physical Security PKI-Encryption Vulnerability Mgmt 1 2 3 4 5 Maturity Level Definitions Level 1: Initial/Ad Hoc Level 2: Developing/Reactive Level 3: Defined/Proactive Level 4: Managed Level 5: Optimized Source: Gartner Security Assessments Conducted 2011 through 2014 *Approximately 40 Agencies – Over 80% of State FTEs

14 7 Trends Identified 14 Internal network segmentation Consistent event monitoring and analysis Security governance / awareness IT staffing challenges Security in software development 1 2 3 4 5 6 Data classification 7 Identity and access management standardization

15 The Texas Cybersecurity Framework Agency Security Plan Template Implemented in January 2014 Vendor Product / Service Template Implemented in March 2014 Updated Texas Administrative Code Ch. 202 Currently Draft - Publish February 2015 Security Control Standards Catalog Currently Draft - Publish February 2015 Guidelines and Whitepapers Ongoing effort Governance, Risk and Compliance Solution To be complete Fall 2015 15

16 Agency Security Plans 40 security objectives defined Aligned to “Framework for Improving Critical Infrastructure Cybersecurity” released by NIST in February 2014 Responsive to SB 1134 (Ellis) and SB 1597 (Zaffirini) 16 FUNCTIONAL AREA SECURITY OBJECTIVE Identify – Privacy and Confidentiality – Data Classification – Critical Information Asset Inventory – Enterprise Security Policy, Standards and Guidelines – Control Oversight and Safeguard Assurance – Information Security Risk Management – Security Oversight and Governance – Security Compliance and Regulatory Requirements Management – Cloud Usage and Security – Security Assessment and Authorization / Technology Risk Assessments – External Vendors and Third Party Providers Protect – Enterprise Architecture, Roadmap & Emerging Technology – Secure System Services, Acquisition and Development – Security Awareness and Training – Privacy Awareness and Training – Cryptography – Secure Configuration Management – Change Management – Contingency Planning – Media – Physical Environmental Protection – Personnel Security – Third-Party Personnel Security – System Configuration Hardening & Patch Management – Access Control – Account Management – Security Systems Management – Network Access and Perimeter Controls – Internet Content Filtering – Data Loss Prevention – Identification & Authentication – Spam Filtering – Portable & Remote Computing – System Communications Protection Detect – Malware Protection – Vulnerability Assessment – Security Monitoring and Event Analysis Respond – Cyber-Security Incident Response – Privacy Incident Response Recover – Disaster Recovery Procedures

17 Agency Security Plans Objective-based Uniform understanding of agency security program maturity using traditional maturity model MATURITY LEVEL DIR DESCRIPTIONKEYWORDS 0There is no evidence of the organization meeting the objective.None, Nonexistent 1The organization has an ad hoc, inconsistent, or reactive approach to meeting the objective.Ad-hoc, Initial 2 The organization has a consistent overall approach to meeting the objective, but it is still mostly reactive and undocumented. The organization does not routinely measure or enforce policy compliance. Managed, Consistent, Repeatable 3 The organization has a documented, detailed approach to meeting the objective, and regularly measures its compliance. Compliant, Defined 4 The organization uses an established risk management framework to measure and evaluate risk and integrate improvements beyond the requirements of applicable regulations. Risk-Based, Managed 5The organization has refined its standards and practices focusing on ways to improve its capabilities in the most efficient and cost-effective manner. Efficient, Optimized, Economized 17

18 Agency Security Plan Observations 18 Percentage of Agencies Maturity Levels

19 Observations – Size Matters 19 Maturity Size – FTE Count

20 Effect of External Regulations 20 Maturity ArticleDescriptionExternal Regulations 1General GovernmentVaries 2Health and Human Services HIPAA, CJIS, IRS, SSA 3EducationFERPA 4JudicialCJIS 5Public Safety and Criminal Justice CJIS 6Natural ResourcesVaries 7Business and Economic Development Varies 8RegulatoryVaries Article Number

21 A Layer Below the Surface 21

22 Highlights and Roadmap Improvements Successes to Build Upon Spam Filtering Account Management Disaster Recovery Security Systems Management 22 Areas for Improvement Data Loss Prevention Secure System Services, Acquisition and Development Cloud Usage and Security

23 A Look to the Future 23

24 Framework Lifecycle 24

25 Security Personnel IT ClassificationsIT Security ClassificationsNew Security Classifications Systems Analyst I, Network Specialist I B16 Programmer IB17 Systems Analyst II, Network Specialist II, Web Administrator I B18 Programmer IIB19 Systems Analyst III, Network Specialist III, Web Administrator II B20 Programmer IIIB21 Systems Analyst IV, Network Specialist IV, Web Administrator III B22 Programmer IVB23Information Technology Security Analyst I B23 Systems Analyst V, Network Specialist V, Web Administrator IV B24 Programmer VB25Information Technology Security Analyst II B25Cybersecurity Analyst IB25 Systems Analyst VI, Network Specialist VI, Web Administrator V B26 Programmer VIB27Information Technology Security Analyst III B27Cybersecurity Analyst IIB27 Cybersecurity Analyst IIIB29 Information Security Officer / Cybersecurity Officer B30 Chief Information Security Officer*B31

26 Education, Communication and Awareness 26 Objective 1 - Establish and expand the Texas Infosec Academy to provide the state’s security personnel the knowledge needed to deliver agency security programs. NICCS Core Security Professionals Courses  6 Career Tracks CISO Strategic Course  Budget, Strategy, Executive Communication, Leadership Certification Exam Preparation Courses  CISSP, CISM, CEH, CISA Texas Cybersecurity Framework Training  TAC 202 and Security Control Standards RSA Archer eGRC Training  Incident Reporting and Analysis  Agency Security Plans and Risk Management Platform for exercises  Tabletop Incident Response Scenarios  Red Team / Blue Team - detection and active response  Statewide coordination exercises  Participation in national readiness such as Cyber Storm

27 Education, Communication and Awareness 27 Objective 2 - Deliver high quality communication products and events that provide valued information to security personnel, partners and stakeholders throughout the state. X 5

28 28 Security Operations and Services Objective 1 - Establish an Enterprise Managed Security Services Provider (MSSP) and Multisourcing Service Integrator (MSI) model to provide key security operations for statewide program and agency functions. Objective 2 – Identify and protect from cybersecurity threats against Texas information resources (Identify / Protect). Objective 3 - Detect cyber attacks and identify attack campaigns launched against Texas information resources and critical infrastructure (Detect).

29 29 Coordination – Collaboration – Outreach Objective 1 - Establish a statewide cybersecurity coordination and collaboration platform (HSIN). Objective 2 - Enable regional cybersecurity response coordination. Objective 3 - Coordinate statewide cybersecurity exercises and preparedness. Objective 4 – Coordinate the information sharing among the state’s key entities. Objective 5 – Establish a competent and capable cybersecurity workforce supply.

30 Thank You 30

Download ppt "D ECEMBER 12, 2014 The State of the State of Cybersecurity."

Similar presentations

Cloud computing security related works in ITU-T SG17

Cloud computing security related works in ITU-T SG17
BENEFITS OF SUCCESSFUL IT MODERNIZATION

BENEFITS OF SUCCESSFUL IT MODERNIZATION
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Security and Personnel

Security and Personnel
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.
Security Controls – What Works

Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Security Governance

Information Security Governance
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.

Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.
1 Webinar on: Establishing a Fully Integrated National Food Safety System with Strengthened Inspection, Laboratory and Response Capacity Sponsored by Partnership.

1 Webinar on: Establishing a Fully Integrated National Food Safety System with Strengthened Inspection, Laboratory and Response Capacity Sponsored by Partnership.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Similar presentations

Ads by Google